Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Encrypting entire database
- Thread starter bascy
- Start date
sleipnir214
Programmer
Sure. Download the source code and modify it.
But encrypting a database is almost certainly a very bad idea. It adds complexity to an already complex system, it can lead to your losing all access to your own data, and it really doesn't accomplish much.
If your application can get to the data, so can anyone who gets your application's user credentials.
Want the best answers? Ask the best questions: TANSTAAFL!!
But encrypting a database is almost certainly a very bad idea. It adds complexity to an already complex system, it can lead to your losing all access to your own data, and it really doesn't accomplish much.
If your application can get to the data, so can anyone who gets your application's user credentials.
Want the best answers? Ask the best questions: TANSTAAFL!!
sleipnir214
Programmer
That and make sure that no one but MySQL and your superuser have access to the database store on the filesystem.
You'd want to lock down the filesystem anyway -- the last thing anyone needs is for someone to be tinkering with the database store while MySQL is trying to use it.
Want the best answers? Ask the best questions: TANSTAAFL!!
You'd want to lock down the filesystem anyway -- the last thing anyone needs is for someone to be tinkering with the database store while MySQL is trying to use it.
Want the best answers? Ask the best questions: TANSTAAFL!!
- Thread starter
- #5
And how can i realise that .. "locking down the database with user credentials stored in the application?"
Bascy
Software developer at
Bascy
Software developer at
- Thread starter
- #6
I'm not sure you understand the situation here.
We are developing an application that is sold by our client.
The customers of our client are the organisations that will be using the application. And we want to prevent those customers from tinkering with the data outside the application. Or using the data with some sort of reporting tool without our knowledge (we'd like the hours to make those reports ourselves!!)
Maybe this will cearify the situation a bit
Bascy
Software developer at
We are developing an application that is sold by our client.
The customers of our client are the organisations that will be using the application. And we want to prevent those customers from tinkering with the data outside the application. Or using the data with some sort of reporting tool without our knowledge (we'd like the hours to make those reports ourselves!!)
Maybe this will cearify the situation a bit
Bascy
Software developer at
sleipnir214
Programmer
Honestly, unless you forbid them the ability to manage their own MySQL installations, this is probably impossible.
You can protect the user credentials your application uses to access the data. But if the client has root access to the server, there is nothing stopping him from creating another user which can also access the data.
From an ethical standpoint, locking a user out of his own data is questionable at best.
Want the best answers? Ask the best questions: TANSTAAFL!!
You can protect the user credentials your application uses to access the data. But if the client has root access to the server, there is nothing stopping him from creating another user which can also access the data.
From an ethical standpoint, locking a user out of his own data is questionable at best.
Want the best answers? Ask the best questions: TANSTAAFL!!
- Thread starter
- #8
Studying the docus on MySQL and searching the net, i'v come to the conclusion that you're probably right about the fact that if a client has root access to his server, he can access his data. Although there are databases (i.e. Advantage Database Server) that do have the possibility to encrypt the database and therefore only make the data readable if provided with a decrypt key (password).
The ethical standpoint you take i dont agree with. What we are trying to prevent is giving a client access to the application data outside of the application (and the businessrules it enforces) and outside of our knowledge. Giving the degree of IT-education from the client that will be using this software they would do more harm then good. our experiences shows that users like this don't easily confess they have been tampering with the data, and blame the application for any inconsistencies that arise.
And using closed databases is nothing new.
Bascy
Software developer at
The ethical standpoint you take i dont agree with. What we are trying to prevent is giving a client access to the application data outside of the application (and the businessrules it enforces) and outside of our knowledge. Giving the degree of IT-education from the client that will be using this software they would do more harm then good. our experiences shows that users like this don't easily confess they have been tampering with the data, and blame the application for any inconsistencies that arise.
And using closed databases is nothing new.
Bascy
Software developer at
sleipnir214
Programmer
That's not what you said. You said that you were doing it to make sure you would get the hours to create the reports.
Locking a client out of data he owns is ethically questionable in general. It's his data -- if he wants to trash it, he's legally allowed to.
Locking a client out of his own data to protect him from his own ignorance is one thing. However, locking a client out of his own data to protect your business model is completely another thing. And that was your original reason for doing it, and the one which I must weigh more heavily.
You're right -- closed databases are nothing new. However, the reaction of so many entities around the world to those closed databases is. Just look at government reactions to closed data models in Munich, Peru, New Zealand, Australia, Scotland, China, Japan, and South Korea over the last 5 years.
Want the best answers? Ask the best questions: TANSTAAFL!!
Locking a client out of data he owns is ethically questionable in general. It's his data -- if he wants to trash it, he's legally allowed to.
Locking a client out of his own data to protect him from his own ignorance is one thing. However, locking a client out of his own data to protect your business model is completely another thing. And that was your original reason for doing it, and the one which I must weigh more heavily.
You're right -- closed databases are nothing new. However, the reaction of so many entities around the world to those closed databases is. Just look at government reactions to closed data models in Munich, Peru, New Zealand, Australia, Scotland, China, Japan, and South Korea over the last 5 years.
Want the best answers? Ask the best questions: TANSTAAFL!!
- Thread starter
- #10
Ok, i'm guilty of having multiple reasons for wanting a closed database ... some of them for the protection of the client, some of them for the benefit of ourselves.
I'm not very up to speed about all the gouverment reactions you're refering to. From our side its just a mostly very pratical reason for closing it.
By the way if the client would ask us to make it possible to export the data on a regular basis to some known format (XLS, CSV, XLM) we wouldnt hesitate to do so.
Bascy
Software developer at
I'm not very up to speed about all the gouverment reactions you're refering to. From our side its just a mostly very pratical reason for closing it.
By the way if the client would ask us to make it possible to export the data on a regular basis to some known format (XLS, CSV, XLM) we wouldnt hesitate to do so.
Bascy
Software developer at
sleipnir214
Programmer
Let's say that I need a product that provides the functionality that yours does, and I am looking at your product and a couple of your competitors'.
I need it to run on my own machines. If I have a choice between your product, where you want to lock me out of my own data, or another product which would allow me to gain access to my data, your company just missed a sale. My server, my data, my rules. I may never directly access the data and always use your reports. But I'll have those passwords available in the case that I need them, thank you.
If your product runs on your servers and you sell access to my data to me as a service, it would be different. It would be unreasonable of me to expect to access my data in any way other than the interfaces you provide. You would likely be selling your service to other clients, too, and you can't allow any client to jeopardize your operation, which could jeopardize all clients' operations.
Want the best answers? Ask the best questions: TANSTAAFL!!
I need it to run on my own machines. If I have a choice between your product, where you want to lock me out of my own data, or another product which would allow me to gain access to my data, your company just missed a sale. My server, my data, my rules. I may never directly access the data and always use your reports. But I'll have those passwords available in the case that I need them, thank you.
If your product runs on your servers and you sell access to my data to me as a service, it would be different. It would be unreasonable of me to expect to access my data in any way other than the interfaces you provide. You would likely be selling your service to other clients, too, and you can't allow any client to jeopardize your operation, which could jeopardize all clients' operations.
Want the best answers? Ask the best questions: TANSTAAFL!!
- Thread starter
- #12
You're right about the possible loss of sale ... if there were any competitors, but at this moment there arent any. And it is not expected for at least a year.
Besides, like i said the degree of IT-knowledge with the potential users-organisations is very low. 99% of them doesnt know or care what a closed database is.
Anyway, it is not really my own choice but the choice of our client (the one selling the product). With that I must admit to you that you have made some strong points.
Thanks for the discussion.
Bascy
Software developer at
Besides, like i said the degree of IT-knowledge with the potential users-organisations is very low. 99% of them doesnt know or care what a closed database is.
Anyway, it is not really my own choice but the choice of our client (the one selling the product). With that I must admit to you that you have made some strong points.
Thanks for the discussion.
Bascy
Software developer at
- Status
Similar threads